Biometric Privacy – BIPA

May 2017


Class Action Against Employer Using Fingerprints To Track Workforce

Baron v. Roundy’s
Class complaint – Roundy’s supermarkets allegedly forced employees to use fingerprints to clock ‘in’ and ‘out’ of their work shifts. Plaintiff’s alleged Illinois employees are required to submit fingerprints, but Roundy’s failed to:
• inform employees in writing that a biometric identifier or biometric information was being recorded, obtained, collected or stored
• inform employees in writing the specific purpose(s) for which biometric information was being recorded, obtained, collected or stored
• inform employees in writing the retention period for biometric identifiers or biometric information
• inform employees in writing how biometric identifiers or biometric information would be destroyed
• obtain employees’ proper written consent to the recording, collection, obtainment or storage of their biometric identifiers and biometric information derived therefrom
• obtain a written release from employees executed as a condition of employment
Plaintiff’s further alleged existing Illinois employees were retroactively required to submit fingerprints without proper notice and consent.

The case was removed to federal court 11 May 2017.
[N.D. Ill; 1:17-cv-03588(Orig: Cook Co. Cir. Ct.; 2017CH03281)]
jbho: Roundy’s was acquired by Kroger’s in 2015. BIPA was enacted in 2008, and it appears Roundy’s was scanning fingerprints back in 2013. I wonder if BIPA considerations were part of the M&A due diligence? One we should add to our checklists…

 

February 2017

Video Game Maker Survives BIPA Face-Off

Vigil v. Take-Two
Dismissed with prejudice – Take-Two allegedly failed to provide adequate notice and consent for collection, storage, use, and retention of plaintiff’s biometric data. Plaintiffs used the ‘MyPlayer’ feature to create in-game characters with their faces. Plaintiffs followed in-game instructions (approximately a 15 minute process) after agreeing to the following terms and conditions:

Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. http://www.take2games.com/eula

Plaintiffs alleged the disclosure was insufficient to inform them their biometric data was being captured, thus negating any consent. They further argued they could not return the opened game, and would not have purchased the game had they been adequately informed. Additionally, plaintiffs allege Take-Two failed to publicly provide a retention schedule or guidelines for destruction of biometric data. Finally, plaintiffs alleged the suffered economic losses in the form of misappropriation of their biometric data.

The court found:

  • Take-Two only used the biometric data as both parties intended
  • The game functioned exactly as plaintiffs expected (they agreed to the terms and scanned their faces)
  • Any deficiencies in the notice were bare procedural violations
    • that the notice used the term ‘face scan’ rather than ‘biometric identifier’ (“a statutory term of art”) had no real impact on BIPA interests
  • Plaintiffs should have expected the face scan would need to be stored in order to use their faces in game play
    • “a merely procedurally deficient notice does not automatically invalidate any resulting consent”
  • Plaintiffs’ alleged apprehension based on hypothetical misuse was too speculative and abstract to support standing (citing Clapper v. Amnesty International: “(plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”)
  • Appropriation claims failed since plaintiffs consented to the face scans (particularly since plaintiffs failed to allege Take-Two had used their facial scans to promote or advertise its game, or otherwise profit by using or selling their data).
  • There was no intrusion since plaintiffs consented to the face scans
  • Unlawful retention alone, absent some form of alleged disclosure or misuse, did not constitute a concrete injury (plaintiffs did not allege their face scans had been obtained or misused).
  • Benefit of the bargain arguments failed since
    • plaintiff pled no breach of contract or unjust enrichment claims
    • legal compliance is not ordinarily presumed to be part of a contractual bargain
  • The court also found that under Illinois law, to be ‘aggrieved’ meant more than just a ‘zone-of-interest’ nexus; there must be a direct link between the statutory violation and the resultant harm.

The court found further amendment to the FAC would be futile, and dismissed the complaint with prejudice.
[S.D. N.Y.; 1:15-cv-08211]
jbho: a detailed opinion that I believe can help plan disclosures and policy items around BIPA compliance – well worth a dive into the 50 page opinion. And it’d be great to have someone double check my work.

As I see it, lessons here include:

  • If data use falls within the realm of consumer expectations, you may not need to worry about minor wording choices in your notice
    • however, statements still can’t be misleading or deceptive
  • If you don’t share, there is no harm
    • still best to destroy data on a regular schedule, even if it’s not called out in your notice
  • If someone is surprised by how your product works after-the-fact, let them return the product – even if it falls outside your normal refund policies (consistent with OTA IoT guidelines)

 

Native Photo App Needs More Scrutiny

Rivera v. Google
Motion to dismiss denied – Google, through its built-in android ‘Google Photos’ app, allegedly applied a proprietary facial recognition technology to every photo uploaded by the app. Google then allegedly used the face templates to organize and group photos, irrespective (allegedly) of whether the face belongs to a Google Photos user or non-user.

• Plaintiff Weiss, who purchased a Google ‘Droid’, claimed Google used his face template to recognize his gender, age, race, and location.
• Plaintiff Rivera, who claims to have never had a Google ‘Droid’, claimed Google user her face template to recognize her gender, age, race, and location.

Google allegedly did the above without informing either plaintiff, without obtaining written consent, and without specifying retention policies and destruction guidelines as required under BIPA.

On Google’s claim information derived from photographs is not covered under BIPA (740 ILCS 14/10), the court found a straight forward reading of BIPA indicated that Google was creating Biometric Identifiers (“scan of … face geometry”). The scans do not necessarily have to be performed live [“(I)t is unlikely that the statute sought to limit the definition of biometric identifier by limiting how the measurements are taken.” (emphasis in original)] Once discovery revealed what Google was actually doing, it could be determined that the Google’s process was not creating Biometric Identifiers. But at the motion to dismiss phase, Plaintiffs’ allegations must be taken as true.

On Google’s claim the contested activity did not take place in Illinois, the court found it persuasive that plaintiffs were Illinois residents, photos were taken in Illinois, and uploaded to the cloud in Illinois. Even if the scanning took place outside of Illinois,
more information was needed on the totality-of-circumstances to determine if Illinois law applied.

On Google’s claim BIPA conflicts with the federal Constitution’s Dormant Commerce Clause, the court found that again that more information was needed to determine whether the activity occurred wholly outside Illinois.

[N.D. Ill; 1:16-cv-02714]
jbho: wow – 20 pages of dicta on the definitions of biometric identifier and biometric information, including analysis of the legislative process in developing BIPA. Very informative and worth the read if you have time.

For the record, 740 ILCS 14/10 says:
Sec. 10. Definitions. In this Act:
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include … photographs … demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. (emphasis added)
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

 

December 2016

First Settlement Reached Under Illinois’ Biometric Law

Sekura v. LA Tan
$1.5M settlement approved – LA Tan allegedly used fingerprint scanning technology to identify its customers in a membership database, but failed to: 1) obtain written consent 2) provide information about how it would store the biometric data and 3) if/when/how the data would be destroyed. No alternative to the fingerprint was offered. Highlights include:
• $1,500,000 settlement fund
• $125 for each class member
• $5,000 for class representative
• $600,000 for class counsel (%40 of settlement fund)
LA Tan must also either put processes in place to comply with BIPA or destroy all biometric data it still holds.
[Circuit Court of Cook County; 2015-CH-16694]
jbho: In the absence of clear guidance, it may be worth considering to: 

  • Provide clear and conspicuous notice of the collection, purpose of use, and potential disclosures of information that might be considered ‘biometric’
    • cover in both your user agreement and privacy policy
  • Obtain express consent of the individual
  • Provide clear and conspicuous notice of opt-out procedures
  • Specify your retention practices

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s